Raymii.org
Quis custodiet ipsos custodes?Home | About | All pages | Cluster Status | RSS Feed
Nagios plugin to check CRL expiry in minutes
Published: 02-05-2013 | Author: Remy van Elst | Text only version of this article
❗ This post is over eleven years old. It may no longer be up to date. Opinions may have changed.
Table of Contents
This is a nagios plugin which you can use to check if a CRL (Certificate Revocation List, public list with revoked certificates) is still valid. This is based on the check_crl.py plugin from Michele Baldessari. It is modified it so that it checks the time in minutes (for more precision) instead of days, it has a GMT time comparison bug fixed and I've added error handling so that if the plugin cannot get a crl file (because the webserver is down) it gives a Critical error in nagios.
Recently I removed all Google Ads from this site due to their invasive tracking, as well as Google Analytics. Please, if you found this content useful, consider a small donation using any of the options below:
I'm developing an open source monitoring app called Leaf Node Monitoring, for windows, linux & android. Go check it out!
Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.
You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $200 credit for 60 days. Spend $25 after your credit expires and I'll get $25!
Download
Download the plugin from my github
Download the plugin from raymii.org
Install and Usage
This guide covers the steps needed for Ubuntu 10.04/12.04 and Debian 6. It should also work on other distro's, but make sure to modify the commands where needed.
Make sure you have openssl, python3 and a module needed by the script installed on the nagios host:
apt-get install python3 openssl python-m2crypto
Now place the script on the host. I've placed in /etc/nagios/plugins/check crl.py_.
wget -O /etc/nagios/plugins/check_crl.py http://raymii.org/s/inc/downloads/check_crl.py
Make sure the script is executable:
chmod +x /etc/nagios/plugins/check_crl.py
Now test the script. I'm using the URL of the Comodo CA CRL file which is the CA that signed my certificate for raymii.org.
/etc/nagios/plugins/check_crl.py -u http://crl.comodoca.com/PositiveSSLCA2.crl -w 480 -c 360
OK CRL Expires in 5109 minutes (on Thu May 9 07:30:32 2013 GMT)
/etc/nagios/plugins/check_crl.py -u http://crl.comodoca.com/PositiveSSLCA2.crl -w 5200 -c 360
WARNING CRL Expires in 5108 minutes (on Thu May 9 07:30:32 2013 GMT)
/etc/nagios/plugins/check_crl.py -u http://crl.comodoca.com/PositiveSSLCA2.crl -w 5000 -c 5300
CRITICAL CRL Expires in 5108 minutes (on Thu May 9 07:30:32 2013 GMT)
Lets add the nagios command:
define command{
command_name crl_check
command_line /etc/nagios-plugins/check_crl.py -u $ARG1$ -w $ARG2$ -c $ARG3$
}
And lets add the command to a service check:
define service {
use generic-service
host_name localhost
service_description Comodo PositiveSSL CA2 CRL
contact nagiosadmin
check_command crl_check!http://crl.comodoca.com/PositiveSSLCA2.crl!24!12
}
The above service check runs on the nagios defined host "localhost", uses the (default) service template "generic-service" and had the contact "nagiosadmin". As you can see, the URL maps to $ARG1$, the warning hours to $ARG2$ and the critical hours to $ARG3$. This means that if the field "Next Update:" is less then 8 hours in the future you get a warning and if it is less then 6 hours you get a critical.
Changelog
03-04-2013: - Changed time to minutes for more precision - Fixed timezone bug by comparing GMT with GMT
06-11-2012: - Changed checking interval from dates to hours - Added error catching if a crl file cannot be retrieved.
Tags: certificates , crl , monitoring , nagios , openssl , revoke , software , ssl